Hello future me 👋

You might wonder where all the files e.g. /boot/vmlinuz-linux, /boot/amd-ucode.img, /boot/initramfs-linux.img and the boot loader configs in /boot/loader/entries are gone.

I changed everything to Unified kernel images, by primarily changing the file /etc/mkinitcpio.d/linux.preset to generate the UKI. I also told the generation of /boot/vmlinuz-linux to be placed in /usr/local/share/boot/vmlinuz-linux instead, by setting ALL_kver="/usr/local/share/boot/vmlinuz-linux". The newly generated files will end up in /boot/EFI/Linux/arch-linux.efi and /boot/EFI/Linux/arch-linux-fallback.efi. systemd-boot will pick up these automatically. So no further entries are needed. Since, there are no boot loader entries any more, we must tell the system somehow about our cmdline. This is done in /etc/cmdline.d/*.conf. This files are respected by mkinitcpio and are bundled into the mentioned /boot/EFI/Linux/arch-linux*.efi files.

$ cat /etc/cmdline/10-root.conf
rd.luks.name=9c8381f8-7e0f-44f6-be26-655b70d33a32=root root=UUID=a1af7e43-857b-4903-8896-e25484175e5d

$ cat /etc/mkinitcpio.d/linux.preset
ALL_kver="/usr/local/share/boot/vmlinuz-linux"

PRESETS=('default' 'fallback')

default_uki="/boot/EFI/Linux/arch-linux.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"

fallback_uki="/boot/EFI/Linux/arch-linux-fallback.efi"
fallback_options="-S autodetect"

While I was there, I decided to get rid of /boot/amd-ucode.img as well. mkinitcpio collects the firmware from /usr/lib/firmware/amd-ucore/ anyways, and packs it into the initramfs. No need to keep the file around. However, /boot/amd-ucode.img is part of the package amd-ucode. I had to tell pacman to don’t extract those files.

$ grep NoExtract /etc/pacman.conf
NoExtract   = boot/*-ucode.img

Those changes do provide nothing but a learning opportunity 😄 And maybe… just maybe… in some point in the future, I will sign everything.

Update 2024-12-23 #

That went faster than expected. I just went on and created some keys and signed my images, roughly following Unified Extensible Firmware Interface / Secure Boot. Using systemd-ukify for signing, and systemd-boot for enrolment.

I decided to create my own files using openssl like documented. But first of all, backed up the my old setup. However, I realized that there is a “Restore to Factory Settings” in the Setup of the Zenbook.

My first attempt were to sign the resulted efi images, as well as the boot loader, with my own keys. Boot worked. However, now Windows for sure doesn’t boot any more.

To fix that, I just grabbed my backed up .esl files and combined the new with the old ones, and sign everything with my Platform Key (PK) or Key Exchange Key (KEK) respectively.

And voilà. A couple of hours and attempts later, Windows boots with Secure Boot enabled. The process took far to long, but I thought, my signing stuff was wrong. However, it turned out the filesystem of my /boot was broken, and ate the windows boot loader. Took me a while to figure it out and find the original to restore my system :grim:

Generate keys #

openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=chrigl Platform Key/" -out PK.crt
openssl x509 -outform DER -in PK.crt -out PK.cer
openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=chrigl 2024-12-21 Key Exchange Key/" -out KEK.crt
openssl x509 -outform DER -in KEK.crt -out KEK.cer
openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=chrigl Signature Database key/" -out db.crt
openssl x509 -outform DER -in db.crt -out db.cer

Create all the efi things #

The old_*.esl were backed up from efi and now included so that Windows and ASUS stuff works. I know… not very secure… but this is only for toying around anyways :)

sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
sign-efi-sig-list -g "$(< GUID.txt)" -c PK.crt -k PK.key PK /dev/null noPK.auth

cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt new_KEK.esl
cat new_KEK.esl old_KEK.esl > KEK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth

cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt new_db.esl
# Leaving PK.esl here for now, because how ukify uses the same cert everywhere
cat new_db.esl old_db.esl PK.esl > db.esl

sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth
sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt dbx old_dbx.esl dbx.auth

cp db.auth keys/db/
cp dbx.auth keys/dbx/
cp KEK.auth keys/KEK/
cp PK.auth keys/PK/

Verifying everything, but not using sbkeysync for enrolment:

sbkeysync --keystore /etc/secureboot/keys --pk --dry-run --verbose

Enrolment with systemd-boot #

cp keys/*/*.auth /boot/loader/keys/auto/

cat /boot/loader/loader.conf

secure-boot-enroll manual

On reboot, you should see an additionally menu entry, given Secure Boot Setup Mode is enabled.

Signing kernel images #

systemd-ukify must be installed and configured properly.

# cat /etc/kernel/uki.conf

[UKI]
SecureBootPrivateKey=/etc/secureboot/db.key
SecureBootCertificate=/etc/secureboot/db.crt

[PCRSignature:initrd]
PCRPrivateKey=/etc/secureboot/tpm2-pcr-private-key.pem
PCRPublicKey=/etc/secureboot/tpm2-pcr-public-key.pem
Phases=enter-initrd

[PCRSignature:system]
PCRPrivateKey=/etc/secureboot/tpm2-pcr-private-key.pem
PCRPublicKey=/etc/secureboot/tpm2-pcr-public-key.pem
Phases=enter-initrd:leave-initrd
       enter-initrd:leave-initrd:sysinit
       enter-initrd:leave-initrd:sysinit:ready

Manually Signing systemd-boot #

There is no automation in place as of now.

Sign the systemd-bootx64.efi and install systemd-boot.

sbsign \
  --cert /etc/secureboot/db.crt \
  --key /etc/secureboot/db.key \
  /usr/lib/systemd/boot/efi/systemd-bootx64.efi

bootctl install

With all of this in place, systemd-cryptenroll can be used to unseal the luks encrypted disk without requiring the real password.

E.g.

systemd-cryptenroll \
  --tpm2-public-key=/etc/secureboot/tpm2-pcr-public-key.pem \
  --tpm2-with-pin=yes \
  --tpm2-pcrs=7 \
  --tpm2-device=auto /dev/nvme0n1p5

For sure, especially the signing keys should live somewhere else, in a secure space.

I know about nushell for quite a while. Today I installed nushell and gave it a try.

I thoroughly enjoy the hard break with traditional shells. “Everything is data”, the website claims. And this brings up a couple of interesting use cases. nushell supports json (along with a whole lot of other formats) out of the box, and also includes a http client. This makes nushell a perfect fit for browsing json APIs from the command line.

However, there are a bunch of other really interesting use cases. Tools like iproute2 or lsblk allow to output json.

We list all devices in json format and tell nushell to interpret it as json.

lsblk -J | from json

We want to drill into the small nested box with root included.

lsblk -J | from json | get blockdevices.children.0.4.children.0

An absolute great tool to dive into data 😄

You even can tell nushell to output in any known format. For example | to md prints a markdown table.

I think I will find plenty of places where nushell will help me!

Just talking about my personal notebook, at work I’m usually using some kind of macbook.

This November, I decided to retire my trusted Lenovo Thinkpad x230 from about 2013.

Because I’m a heavy terminal user, it was not too much of a deal. For programming, these days I’m on AstroNvim with full blown LSP setup. Which mostly was fast enough for me. However, the trusted gear served me very well over the years, but the difference to a macbook air M1 is just… noticeable.

This month I somehow decided: This is the time! I went online, did a fair bit of research… not too much for sure… and ended up on a ASUS Zenbook UM3406.

Completely new installation #

I made some decisions about my OS. First, I want to keep a small partition for the included Windows 11. And to be perfectly honest. I’m impressed by it, and thought for a second: Maybe just sticking with it and use WSL2? I just can’t stand it 😄

Because, I really have a whole lot of respect for the people behind Universal Blue, I gave the Gnome spin a try. It really works well, but I’m old and a diehard archlinux user… So just installed my beloved distri.

But why do I keep Win 11… I use it for Zwift and it is just too much of a fuff to run it on Linux. Even form me, sometimes things should just work.

Took me three iterations to get both installations correct. Mostly because of being stupid and removing partitions by accident, and letting the Windows installer to pick a too small efi partition.

My last installation of archlinux dates back to 2011, when I installed my pre-pre notebook. This installation, I synced over to the Thinkpad in 2013. So I don’t remember anything about the old installation process. Today, I really liked how simple it is to configure WLAN using iwctl. I opted into doing a full disc encryption, and do not separate /home from /, but creating a single partition with a btrfs. Guess, I’m a btrfs user since 2013.

You might already realized how weird I am. Very old school on one hand, but a sucker for new stuff on the other. This time, I opted into using systemd-homed to manage my home directory. Because using btrfs, being the sole user of this computer, and having full disc encryption, I use subvolume as the storage driver. There are strings attached, and some parts are not yet integrated into other parts. Like there is still account-service, but it is unable to really manage systemd-homed users. I expect things to come closer together in the future. I will get those pretty early, because of the rolling release nature of archlinux.

A brand new terminal emulator #

For convenience purposes, I installed the package group gnome, which includes gnome-console. It works reasonably well, and has a more modern look and feel than my trusted gnome-terminal. The lovely Universal Blue folks brought my attention to ptyxis. I installed it via the gnome-software-center, which is configured to use flathub, because there is no archlinux package yet.

Tested the container features, using distrobox. Feels really nice and snappy. Some features I (unfortunately) cut out, because of using tmux. Here again, old man, old habits. For instance. Ptyxis colourizes the borders red when detecting sudo.

All in all, a great user experience. Did not spend too much time into it… well, because things should just work, and Ghostty is coming. I’m kind of sucker for those kind of new stuff 😄

Using minimal config from the old one #

This time, I decided to only copy over a minimal set of configurations from my old notebook. It proved to be a good decision. For Instance, my Evolution Mail client looks cleaner now, even though they are in the same version.

What’s next? #

This might or might not be my final installation. I still like the approach the lovely folks at Fedora and Universal Blue are taking. But for me, this notebook is not my “I earn money with it”-machine, and I love to have a relatively low level Linux.

I use pkg.go.dev regularly. Sometimes just for finding a package, that I know, but not the full name. One of those is go-spew. I know the package, I know it exists, but I will never be able to keep the full path in my head (for good reasons). Wouldn’t it be great to search from the command line?

gofind is our new friend 😄

❯ gofind spew
spew (github.com/davecgh/go-spew/spew)
    Package spew implements a deep pretty printer for Go data structures to
    aid in debugging.

    Imported by 15,504 | v1.1.1 published on Feb 21, 2018 | ISC

spew (github.com/spewerspew/spew)
    Package spew implements a deep pretty printer for Go data structures to
    aid in debugging.

    Imported by 12 | v0.0.0-...-89b69fb published on May 13, 2023 | ISC

...

In a debugging session, I wanted to pull a container image manually using ctr, and encountered this (to me weird) error.

root@server:/etc# ctr --debug -n k8s.io image pull registry.k8s.io/ingress-nginx/controller:v1.11.3
DEBU[0000] fetching image="registry.k8s.io/ingress-nginx/controller:v1.11.3"
DEBU[0000] resolving host=registry.k8s.io
DEBU[0000] do request host=registry.k8s.io request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.21-k3s2 request.method=HEAD url="https://registry.k8s.io/v2/ingress-nginx/controller/manifests/v1.11.3"
INFO[0000] trying next host error="failed to do request: Head \"https://registry.k8s.io/v2/ingress-nginx/controller/manifests/v1.11.3\": dial tcp: lookup registry.k8s.io on 127.0.0.53:53: server misbehaving" host=registry.k8s.io ctr: failed to resolve reference "registry.k8s.io/ingress-nginx/controller:v1.11.3": failed to do request: Head "https://registry.k8s.io/v2/ingress-nginx/controller/manifests/v1.11.3": dial tcp: lookup registry.k8s.io on 127.0.0.53:53: server misbehaving

I was a bit puzzled, because the containerd is configured to use a private registry, and should not go to the internet to find images. I double checked that the image was really there, and explicitly tested other images. Still the same error though.

At some point, I discovered that I need to add the registry configuration explicitly to ctr:

ctr -n k8s.io image pull --hosts-dir /var/lib/rancher/rke2/agent/etc/containerd/certs.d/ registry.k8s.io/ingress-nginx/controller:v1.11.3

Not really a “Today I Learned”… but today, I wanted to share this package with a colleague of mine, and had to search for it.

When need to work with ip prefixes and net/netip is not enough… use go4.org/netipx.

How to show VLAN information of an interface?

$ ip -d link show IFACE

7: fabric@enp202s0f0np0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether b8:3f:d2:b9:2c:a4 brd ff:ff:ff:ff:ff:ff promiscuity 0  allmulti 0 minmtu 0 maxmtu 65535
    vlan protocol 802.1Q id 1 <REORDER_HDR> addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 tso_max_size 524280 tso_max_segs 65535 gro_max_size 65536

OpenWrt disabling ipv6 dns for odhcpd

uci set dhcp.lan.dns_service="0"
uci set dhcp.lan.ra_dns="0"
uci commit dhcp
service odhcpd restart

So I don’t get any IPv6 dns server advertised.

You never stop learning new things. Just to set the scene. I’m a diehard vi user for 23+ years. Starting with nvi (because of because), ending up in using neovim these days. At least, I tell myself to be relatively fluent in navigating around and getting things done. However, there are still tricks to learn every day.

This time, it it about :h registers. I ended up there by :Telescope registers, just because I wandered around Telescope to learn what it provides, that I’m currently missing out.

I regularly use named registers ("a to "z) for copying stuff around, and the "/ registers. I also knew about the “delete history” in the numbered registers. Totally new to me is "0, which holds the last yanked content. So far, if I yanked something, and afterwards deleted a line. In my head, the yanked bits were lost. I went back, yanked it into a named registers, and continued. Now, I only need to paste "0p 🧚‍♀️

Every day is a learning opportunity. I’m a fish shell user for about 8 years now. Don’t even know any more why I made the switch. But here I am 😄

Today I learned about a very nice feature… abbr.

“abbr manages abbreviations - user-defined words that are replaced with longer phrases when entered.”

Example. I want to have “aliases”, but don’t want to see the alias in my history, but rather the real command.

$ abbr kgp kubectl get pods
$ abbr kgn kubectl get nodes

When typing one of those, following by Space or Enter, the real command will be expanded, and thus, end up in your history.

Thanks @justingarrison for the hint in How I use kubectl!